Case Study · Incident Response — Legal + Technical
Ransomware Attack Response: CERT-In Notification, Legal Privilege, Ransom Negotiation Advisory, and System Recovery for a Healthcare Technology Company
Home → Case Studies → Incident Response → Ransomware Attack Response: CERT-In Notification, Legal Privilege, Ransom Negotiation Advisory, and System Recovery for a Healthcare Technology Company
Engagement Background
The Situation When We Were Engaged
A Pune-based healthcare technology company — operating a SaaS platform used by 340 hospitals and clinics for patient record management and appointment scheduling — was struck by a LockBit 3.0 ransomware variant on a Sunday evening. The attack encrypted production databases, backup servers, and file shares across three cloud availability zones.
Protected Health Information (PHI) of over 8 lakh patients was potentially compromised. The attackers had established persistence 19 days before encryption — exfiltrating data during that dwell period. A ransom note demanded ₹3.2 crore in Monero with a 72-hour deadline before threatened public leak.
SIRI Law LLP was engaged at 11 PM on the night of discovery. Our first action was to establish legal privilege over the investigation — placing all forensic findings and communications within attorney-client privilege to protect the company during any regulatory investigation. CERT-In notification was filed within 6 hours. We then coordinated technical containment, negotiation advisory, and regulatory liaison simultaneously.
Client Profile
Assessment Scope
Simultaneous Legal and Technical Response — 72 Hours
Legal Privilege & CERT-In
Engagement structured under attorney-client privilege from hour one. All forensic findings, investigation reports, and internal communications protected. CERT-In 6-hour notification filed by qualified advocate. DPDPA breach assessment initiated.
Technical Containment & Forensics
Network segmentation to stop lateral movement. Forensic imaging of encrypted and unaffected systems. Initial access vector investigation — supply chain compromise via a third-party remote monitoring agent. Dwell period timeline reconstruction.
Ransom Negotiation Advisory
Legal analysis of ransom payment under FEMA, PMLA, and OFAC sanctions screening. Negotiation strategy developed — deadline extended by 96 hours. Parallel recovery track pursued to eliminate payment dependency. Data leak threat assessed and monitored.
Key Findings
What We Found
Each finding documented with evidence. Root cause and remediation guidance provided for every item.
Forensic analysis traced initial access to a compromised update delivered by a remote monitoring and management (RMM) vendor. The malicious update installed a backdoor 19 days before encryption. Vendor’s update server had been compromised — 12 of the vendor’s other customers were subsequently notified by law enforcement. All third-party remote access agents identified as a systemic risk vector.
Threat actor operated undetected for 19 days. Network traffic analysis confirmed exfiltration of patient demographic data, appointment records, and diagnostic codes via an encrypted C2 channel to infrastructure in Eastern Europe. Estimated 2.4 million records exfiltrated. DPDPA breach notification scope determined on this basis.
Backups had been stored in the same cloud account with IAM permissions accessible to the compromised accounts. All production and backup systems encrypted simultaneously. A single isolated offline backup — not part of the standard backup rotation — survived and became the primary recovery vehicle. Recovery time extended from estimated 7 days to 28 days as a result.
The company had no documented incident response plan, no pre-designated IR retainer, and no pre-negotiated cyber insurance policy with IR coverage. Executive communication was uncoordinated in the first 3 hours — two board members spoke to journalists before legal counsel was engaged. A media containment strategy was required in addition to technical response.
Engagement Timeline
Phase-by-Phase Execution
Hours 0–6: Legal Privilege Established, CERT-In Notified
Engagement retainer executed at 11 PM. Attorney-client privilege established over investigation. Forensic team deployed. CERT-In notification filed at 4:47 AM — within the 6-hour window. DPDPA breach risk assessment initiated. Media communication freeze issued to all board and management.
Hours 6–48: Containment, Forensics, and Negotiation
Network segmentation completed. Forensic imaging of all systems — encrypted and intact. Initial access vector identified (RMM supply chain). Ransom negotiation: OFAC sanctions screening cleared; legal analysis confirmed no FEMA/PMLA bar to negotiation (but payment advice withheld pending recovery assessment). Deadline extension of 96 hours negotiated.
Days 3–14: Recovery from Isolated Backup + Parallel Decryption
Isolated backup identified and validated. Clean environment provisioned in separate cloud account. Staged data restoration — priority given to active hospital integrations. LockBit decryption key assessment: threat actor provided proof-of-decryption for sample files; ransom payment decision deferred as recovery progressed.
Days 15–28: Full Recovery, Regulatory Submissions, and Post-Incident Review
All production systems restored from clean backup by Day 28. No ransom paid. DPDPA breach notification prepared and filed — scope limited by forensic evidence to specific data categories. Insurance claim submitted. Supply chain vendor terminated and replaced. Post-incident security programme scoped.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
CERT-In 6-Hour Notification — IT Amendment Rules 2022
Ransomware attacks are explicitly listed as a reportable incident category. A 6-hour notification window from discovery is mandatory. The company had no prior mechanism to comply — SIRI Law LLP’s immediate engagement ensured notification was filed within the window, avoiding a reporting failure that would have compounded the regulatory exposure.
DPDPA — PHI Breach Notification to Data Protection Board
Exfiltration of 2.4 million patient records constitutes a significant personal data breach triggering DPDPA notification obligations to the Data Protection Board and potentially to affected data principals. Forensic scoping of exactly which data was exfiltrated determined the notification scope and limited unnecessary over-disclosure.
Ransom Payment — FEMA, PMLA, and OFAC Sanctions
Payment of ransom to threat actors requires legal analysis: OFAC sanctions screening to ensure the threat actor group is not a designated entity; FEMA compliance for cross-border payments; and PMLA analysis where cryptocurrency is involved. Legal advice on whether and how to pay — if payment is commercially necessary — is a critical legal function in ransomware response.
Insurance Coverage — Cyber Liability Policy
The company’s general commercial policy had a cyber exclusion. No standalone cyber liability policy existed. Insurance recovery was not available. Post-incident, a cyber liability policy with IR expense coverage, breach notification costs, business interruption, and ransom payment coverage was structured — this engagement quantified the premium justification.
Outcomes & Remediation
What Changed After Our Assessment
CERT-In Notified in 6 Hours — No Reporting Failure
CERT-In notification filed at 4:47 AM on night of engagement. Regulatory obligation met. CERT-In investigation team engaged cooperatively — forensic evidence shared under legal coordination.
Zero Ransom Paid — Full Recovery from Backup
Systems fully restored from isolated backup by Day 28. Ransom demand of ₹3.2 crore not paid. Threat actor’s data leak threat monitored — no leak observed over 90-day monitoring period.
DPDPA Breach Notification — Scoped and Filed
Forensic evidence limited notification scope. Data Protection Board notification filed. Affected data principal notification strategy prepared — selective notification based on evidence of actual access rather than blanket notification.
Supply Chain Risk Remediated — Third-Party Access Policy Implemented
Compromised RMM vendor terminated. All third-party remote access agents reviewed. Vendor security assessment process implemented as a condition of all future remote access agreements. Software supply chain risk policy drafted by SIRI Law LLP.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Attorney-client privilege from minute one — protects findings in regulatory investigation
CERT-In notification is a legal obligation — we draft and file it
Ransom payment legal analysis — FEMA, PMLA, OFAC — not available from technical-only IR firms
24/7 engagement availability — we were retained at 11 PM on a Sunday
Director GRC & Legal — Adv. Chetan Seripally
Facing a Ransomware Attack or Security Incident?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.